Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

SecurityHub Access Denied because no identity-based policy allows the config:GetComplianceDetailsByConfigRule action

0

I have SecurityHub setup in a central account but keep getting logs where its getting AccessDenied when trying to preform a config:GetComplianceDetailsByConfigRule on resources that security hub itself has setup. One example of the error is the following:

"eventSource": "config.amazonaws.com",
    "eventName": "GetComplianceDetailsByConfigRule",
    "awsRegion": "eu-west-2",
    "sourceIPAddress": "securityhub.amazonaws.com",
    "userAgent": "securityhub.amazonaws.com",
    "errorCode": "AccessDenied",
    "errorMessage": "User: arn:aws:sts::{accountID}:assumed-role/AWSServiceRoleForSecurityHub/securityhub is not authorized to perform: config:GetComplianceDetailsByConfigRule on resource: securityhub-s3-bucket-logging-enabled-1b6b206d because no identity-based policy allows the config:GetComplianceDetailsByConfigRule action",
    "requestParameters": null,
    "responseElements": null,

Has anyone had this issue before and know of a fix to stop getting UnauthorizedAPICalls alerting?

Themen
Sicherheit, Identität & KonformitätManagement & Unternehmensführung
Tags
Sicherheit, Identität & KonformitätAWS Sicherheits-HubAWS ConfigAWS CloudTrail
Sprache
English
Alex
gefragt vor 2 Jahren604 Aufrufe
1 Antwort
0

You are missing permissions in AWSSecurityHubServiceRolePolicy.

See https://aws.amazon.com/premiumsupport/knowledge-center/config-error-security-hub/ and https://docs.aws.amazon.com/securityhub/latest/userguide/using-service-linked-roles.html

{
    "Effect": "Allow",
    "Action": [
         "config:PutConfigRule",
         "config:DeleteConfigRule",
         "config:GetComplianceDetailsByConfigRule",
         "config:DescribeConfigRuleEvaluationStatus"
    ],
    "Resource": "arn:aws:config:*:*:config-rule/aws-service-rule/*securityhub*"
}
AWS
Mike_O
beantwortet vor 2 Jahren
  • Alex
    vor 2 Jahren

    Sorry probably should have included this in the question but we're using the "AWSServiceRoleForSecurityHub" which has the "AWSSecurityHubServiceRolePolicy" policy attached. This policy already includes the permissions you mentioned which is why I can't understand the errors.

  • rePost-User-8781083
    vor 2 Jahren

    I'm seeing the same issue as the author. We've enabled AWS Security Hub, Security Hub is using the AWSServiceRoleForSecurityHub policy, and it has the linked policy that gives it "config:GetComplianceDetailsByConfigRule" on "arn:aws:config:::config-rule/aws-service-rule/securityhub".

    We're seeing the same error as the author, but on the securityhub-s3-bucket-public-read-prohibited-${id} rule.

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt